Microsoft Is Killing SMS Login for Millions of Business Accounts. Here Is What Replaces It.
Starting September 2026, Microsoft will push passkeys as the default way to prove your identity in its business login system. By February 2027, the old text-message codes go dark entirely.

Key points
- From 1 September 2026, Microsoft will automatically prompt all business users of its Entra ID login platform to set up a passkey instead of a password or text-message code.
- Microsoft-provided SMS and voice authentication will end permanently on 1 February 2027.
- Passkeys use a fingerprint, face scan, or device PIN to verify identity, making them far harder for criminals to steal than a password or a one-time text code.
- Enterprises that still need SMS or voice login for regulatory reasons must sign up with a third-party phone carrier through the Microsoft Security Store by 30 October 2026 and pay their own costs.
- There will be no opt-out option after the February 2027 deadline.
Most of us are used to logging in with a password, then waiting for a six-digit code to arrive by text. That second step, called multi-factor authentication (MFA), meaning a second check beyond just the password, was a genuine improvement when it arrived. For millions of people using Microsoft business accounts, it is now being retired.
Microsoft is replacing it with passkeys. A passkey is a digital credential, stored on your phone, laptop, or a small USB security key, that proves you are who you claim to be using your fingerprint, face, or device PIN. No password to type. No text code to intercept.
The change affects Microsoft Entra ID, which is the cloud-based system businesses use to control who can log in to company software. Think of it as the front door of a large office building: Entra ID decides who gets a key and who gets turned away. It sits at the centre of identity management for a huge number of organisations.
Why is Microsoft doing this now?
Because the old front door is getting kicked in constantly. Criminals are now using AI tools to build convincing fake login pages at industrial scale, a technique called phishing. A convincing fake page can trick an employee into typing their password and their text-code. Passkeys cannot be handed over on a fake page because they never leave the device they are stored on.
Microsoft corporate vice president Nadim Abdo said the threat environment has changed in "speed, scale, and sophistication." That is true, and it is not PR spin. The shift to AI-assisted credential theft is measurable in incident response data.
The failure mode here is the same one that has powered credential breaches for a decade: a human, under time pressure, types secrets into a box they did not scrutinise carefully enough. Passkeys remove the secret from the equation.
In practice, this does not make businesses invulnerable. Passkeys do not stop an attacker who has already taken full control of a device, or who steals the session token (a temporary access pass your browser holds after login) after you have authenticated. Endpoint protection and continuous monitoring still matter.
If you are an employee whose company uses Microsoft 365 or other Microsoft business software, watch for a prompt to register a passkey when you next sign in after September. Follow it. Recovery if you skip it and lose access later will cost you time and your IT team patience.
One thing the post-mortem will say, when the first major breach happens to a firm that dragged its feet on this deadline: the migration window was six months, and they had the exact dates in writing.
Operational takeaway: Default settings drive adoption more than any awareness campaign, and Microsoft just made the secure option the only option.



